On Blockchain Metatransactions

04/17/2020 ∙ by István András Seres, et al. ∙ Eötvös Loránd University 0

In cryptocurrencies, transaction fees are typically exclusively paid in the native platform currency. This restriction causes a wide range of challenges, such as deteriorated user experience, mandatory rent payments by decentralized applications, and blockchain community rivalries (e.g., coinism). Ideally, in a truly permissionless blockchain, transaction fees should be payable in any other cryptocurrency via so-called metatransactions. In this paper, we formalize metatransactions, review existing ideas, and describe novel metatransaction design approaches. Under the assumption of sufficient market liquidity, we argue that metatransactions do not lower the security of cryptocurrency platforms. However, without changing the underlying blockchain, metatransaction designs typically increase transaction costs and reduce the blockchain transaction throughput.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 5

page 9

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Cryptocurrencies have attracted significant attention, in part due to their ability to promote neutrality through disintermediation. Their neutrality stems from their typically permissionless nature: anyone is allowed to join and leave the network at any time, while their censorship resilience

protects individuals from potentially overreaching entities. Another aspect of neutrality is the inherent ability to fork an open-source blockchain, i.e. to clone one blockchain into two independent versions, if e.g. the blockchain community’s vision diverges. This freedom, however, comes at a price. Instead of unifying efforts, we have witnessed an explosion in the number of blockchains and cryptocurrency tokens that compete rather than collaborate. This competition naturally arises as many blockchains have the same objective; to become the predominant decentralised platform for asset transfers and decentralised application hosting.

While competition in open-source projects and their ability to fork are not new phenomena (see e.g. Linux), in the context of blockchains, financial incentives exacerbate competition. We count historically about 900 Linux distributions111Source: https://distrowatch.com/ within the last 28 years, and the last 10 years have brought to fruition circa blockchain coins and about blockchain tokens222Source: https://coinmarketcap.com/coins/views/all/ deployed on existing blockchains.

All blockchains we are aware of rely on one native currency . e.g. serves as the currency to pay transaction fees to miners and may be minted when creating a block. Typically, no other currency is eligible to replace in this special function. Indeed some blockchain creators openly criticise the use of alternative currencies333https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1559.md. We observe that this exclusivity leads to several challenges:

Deteriorated User Experience

A user that wishes to perform a transaction that does not involve , e.g. a stablecoin transaction444Stablecoins are typically less volatile coins that are, for example, pegged to a fiat currency., such as Tether or DAI [4], is required to purchase and use to perform the transaction. This results in additional usability frictions and UI complexities, which could be avoided if transaction fees could be paid directly via another currency .

Mandatory Rent

Every project that builds upon an existing blockchain is forced to adopt and implicitly pays rent to the holder of . That is because users of are required to purchase whenever they want to interact with .

Social Coinism

A few vocal owners of publicly become the advocates of this coin, despite the availability of other potentially more suitable technologies and blockchains. Coinism is likely to alienate communities, preventing healthy, productive collaborations and could ultimately stifle innovation.

To remedy these problems, in this work, we study the options available to replace the currency of an already deployed blockchain with one or several alternative currencies, and consider the implications. We adopt the blockchain community jargon metatranscations as denoting transactions that pay fees to miners or other intermediaries in a currency other than . Summarizing, we provide the following contributions within this work:

  • We review an existing fee delegation scheme that supports the payment of transaction fees in currencies other than a native blockchain currency .

  • We formalize the notion of metatransactions and present two novel designs, one miner-based and one off the chain scheme.

  • We discuss the implications of metatransactions and show how an adversary may perform a hostile blockchain takeover with metatransactions. We argue that metatransactions do not affect the blockchain’s security under assumptions of market liquidity.

The rest of the paper is organized as follows. Section 2 presents pertinent background on smart contract enabled blockchains. In Section 3 we formally define metatransactions and present an existing fee delegation design, while Section 4 shows two new metatransaction schemes. Section 5 compares these two metatransaction protocols. Section 6 analyses the economic and security implications of introducing metatransactions into a blockchain system. We highlight related work in Section 7 and point out possible extensions as future directions in Section 8.

2 Background

Blockchains enable the construction of append-only immutable ledger maintained by a distributed network of nodes [33]. The majority of current systems [33, 42] rely on a random leader election process as part of their consensus mechanism. An elected participant decides on the current state transition: a set of transactions altering the ledger state, arranged in a so called block. For example, in Proof-of-Work (PoW) blockchains, the leader is the first participant to solve a computationally expensive puzzle [33]. For a thorough background on Bitcoin and blockchain, we refer the reader to a systematization of knowledge [6]. Smart contract enabled blockchains allow to encode programmable logic which may execute transactions and manipulate cryptocurrency amounts. Contract code is typically executed in a Virtual Machine (VM), which is a quasi-Turing complete execution environment executing bytecode. The number of computational steps a transaction can perform in the VM is bounded to deter denial-of-service (DoS) attacks [34].

A crucial aspect of a smart contract VM is the fee mechanism. Every VM opcode costs a certain fee which should ideally be proportional to the computational complexity of that opcode. There typically exist a “base” transaction fee representing the minimum transaction fee555The base fee in Ethereum is e.g., gas ( in Tezos [21]), and not applicable to internal transactions.. Note that due to the halting problem [40] one cannot anticipate the required fees of smart contract execution and therefore typically define a maximum fee. Once this maximum is reached, the execution is terminated. To the best of our knowledge, we are not aware of a blockchain that natively supports the payment of transaction fees in a different currency than the native blockchain currency.

Off-Chain Transactions For use cases such as micropayments, on-chain transaction fees and confirmation time latencies represent significant practical obstacles. Payment channels allow parties to exchange transactions locally, i.e. not broadcasting them to the network, and rather update a local balance sheet. The blockchain is only utilized as a recourse for channel initiations, disputes and closures. This permits payment channel participants to send payments without on-chain fees and short confirmation times. We refer the reader to a systematization of knowledge [22] for an overview of off-chain constructions.

2.1 Notation

In the following, we denote as a cryptographically secure hash function. Let and denote secret and private keys respectively of an asymmetric cryptographic protocol. The corresponding blockchain address is obtained by . We refer to a specific tuple element by its name in the subscript. Transactions, defined in Section 3.2, can be broadcast on-chain or sent off-chain. To capture this, we introduce the functions and . If necessary we indicate in the superscript of these functions the blockchain platform, where the said transaction is issued.

3 Metatransactions

In this section, we provide a system model and formalize metatransactions. We also review existing fee delegation schemes. Informally, a metatransaction is a (set of) transaction(s) that allows paying transaction fees in a currency other than the native blockchain currency .

3.1 System Model

In the following, we describe our system model, functionalities and threat model for metatransactions.

3.1.1 Actors

The following actors may be involved in a metatransaction:

  • [leftmargin=*]

  • Sender: a blockchain user with an asymmetric key pair which issues metatransactions.

  • Receiver: a receiver of a metatransaction.

  • Relayer: a metatransaction design might involve one or more non-trusted intermediaries that assist in the transaction processing.

  • Smart contract: a contract to enforce the metatransaction protocol logic, e.g., to reimburse miners and/or intermediaries for their services.

  • Miner: choose to accept (meta)transactions within a mined block.

3.1.2 Informal Functionality

A metatransaction protocol enables a sender to issue and pay for blockchain transactions without using , the native currency of the blockchain.

3.1.3 Communication model

We assume broadcast transactions in the P2P network are delivered with a maximum delay under the bounded synchronous communication setting [2]. Furthermore, we assume all actors can access and read the current head of the blockchain to verify if transactions are appended to the blockchain. We remark that these are standard assumptions in the blockchain literature [3, 18].

3.1.4 Threat model

We assume that the cryptographic primitives of the blockchain hosting the smart contract are secure. Furthermore, we assume the adversary cannot corrupt more than of consensus participants of the blockchain (i.e.  of the computational power in case of a PoW blockchain). Note that under the presence of selfish mining attacks, this threshold may be lowered [17, 19]. The adversary may corrupt or perform DoS attacks on intermediaries. Lastly, we assume that senders are not eclipsed, i.e. they are capable of broadcasting transactions [31, 43, 20].

3.1.5 Security goals

Designing a practical and trust-minimising metatransaction protocol is non-trivial. For example, one cannot know a priori which miner is going to include a transaction within a blockchain block. This might require to allow anyone that mines a metatransaction to claim the corresponding transaction fee in a non-native currency . Moreover, for security purposes, transactions composing a metatransaction must be executed atomically, i.e. either all transactions execute, or none. Atomicity ensures that the sender has to pay fees, and miners must perform their service if they collect fees. Finally, compared to ordinary transactions, metatransactions should not incur additional delays when being included in a blockchain and in particular should be resilient to censorship. These observations lead us to the following informal security goals that metatransactions should ideally satisfy:

Atomicity:

A metatransaction may be composed of multiple transactions (cf. Definition 3.1). To execute a metatransaction successfully, any sub-transaction of a metatransaction must be executed atomically, i.e., within the same block.

Censorship Resistance:

Metatransactions should be as difficult to censor as regular transactions.

3.2 Formal Definition

We provide the following formalism building on related work [3, 18] to capture metatransactions.

Definition 3.1.

Transaction A transaction is a tuple where is the sender and is the receiver of the transaction. The transaction fee offered in the native currency is denoted as and  denotes the transaction fee offered in another currency than the native currency . represents a reference to another transaction. In particular, is the of a transaction which should be included in the blockchain before can be appended. We define the id of a transaction to be . Let be a predicate which is true if is appended to the blockchain and false otherwise. For the time being, we assume that all transactions are issued on the same blockchain.

Our Definition 3.1 captures the fact that in most cryptocurrencies, paying transaction fees in can only be achieved implicitly through the side-effects of an additional transaction on the same blockchain (we discuss cross-chain metatransactions in Section 8). Intuitively one can think of a metatransaction as one transaction which pays no transaction fees in , coupled with another transaction which pays the equivalent fees in . allows us to capture dependency relations between transactions issued on the same or different blockchains to construct atomic transactions. Atomicity is required to e.g., prevent an adversarial miner from stealing sender funds and similarly to prevent the sender from issuing transactions without paying due fees. We remark that Definition 3.1 omits several subtleties of real-world cryptocurrency transactions: for instance, we assume but do not indicate that transactions are signed by the sender. We are not aware of any blockchain design that explicitly allows paying transaction fees in a currency different than the native currency.

Definition 3.2.

Metatransaction A metatransaction is a pair of transactions , where , and . We allow , if a single transaction is sufficient to perform a metatransaction.

On the avenue towards the first metatransaction designs, we review an existing fee delegation scheme.

3.3 Relayer-based Fee Delegation Scheme

A fee delegation scheme allows a sender to delegate the payment of transaction fees in to a non-trusted party, while receiver reimburses the non-trusted party in . In this scheme, ultimately, miners receive for mining the sender’s transaction [10]. While such a scheme may improve usability, it does not solve the other aforementioned obstacles that motivate our work (e.g., mandatory rent, coinism).

A fee delegation scheme involves a non-trusted intermediary, referred to as relayer, which performs the conversion between and on behalf of the sender. On the blockchain, transactions, therefore, appear to be paid in . A possible scheme operates as follows (cf. Figure 1). (1) A sender transmits a signed message to the relayer off the blockchain. The signed message contains the to-be-invoked smart contract (or target address), function, corresponding arguments, etc. (2) The relayer then creates an on-chain transaction which contains this signed message. pays transaction fees in . The execution of triggers the execution of the second transaction , which reimburses the relayer for its services in . This reimbursement is paid by the receiver, cf. Figure 1. The relayer, therefore, acts as an implicit exchange between and . The sender may additionally incentivise the relayer for its services by paying a small fee. Note that such fee delegation schemes do not fall under metatransaction designs (cf. Definition 3.2), because currency remains required.

Fig. 1: A relayer fee delegation scheme (not a metatransaction design). The dotted arrow (1) represents a signed off-chain message, while continuous lines represent regular on-chain transactions. The relayer issues a regular on-chain transaction on behalf of the sender, and the relayer is compensated in a non-native currency . Note that in this example the transaction fees in is borne by the receiver, i.e. the sender delegates the transaction fee payment to the receiver.

Positively, the execution of and is atomically enforced due to their explicit dependence. A major disadvantage of such fee delegation scheme, however, is that the relayer can censor a sender or become unavailable (e.g., due to a crash or a DoS attack). One avenue to mitigate such weaknesses could be the establishment of a network of relayers, we, however, leave this to future work.

4 Metatransaction Designs

In the following section we outline our metatransaction design proposals.

4.1 Miner-based Metatransaction

Our first metatransaction design enables a sender to pay transaction fees directly in to a miner , without resorting to an intermediary (cf. Algorithm 1). The protocol proceeds as follows:

  1. creates a transaction, which executes a desired action (e.g. a cryptocurrency transfer or a smart contract invocation), and pays no transaction fees.

  2. A second transaction triggered by or pays transaction fees for both and in to a miner-can-spend address .

  3. can claim accrued transaction fees in from the miner-can-spend address.

1;
2 ;
3 ;
Algorithm 1 A miner-based metatransaction construction. A sender creates two transactions, one which executes an action and doesn’t pay fees, while the other pays fees in .
Fig. 2: The order of transactions involved in the miner-based metatransaction scheme. Sender transfers transaction fees in to an anyone-can-spend address. Miners subsequently collect accrued fees at that address. Note, in this construction all transactions occur on-chain.

The challenge here is that a sender does not know beforehand which miner will mine the next block. A solution is to send the transaction fee to an anyone-can-spend address, which is likely to be claimed by the next miner. We could envision that the community agrees on an address for the sake of clarity and uniformity666For instance, the address corresponding to the base point of the secp256k1 curve. The corresponding secret key is publicly known, , meaning that any miner can easily claim accrued transaction fees in any given block.. We remark that in some cryptocurrencies, one might be able to send fees directly to miners without knowing a priori who will mine said transaction (the Ethereum Virtual Machine provides a corresponding endpoint). This minimizes the added complexity of metatransactions, eliminating the need for an anyone-can-spend address.

Note that transaction and must be atomic, otherwise sender and miner could steal coins respectively. The atomicity of these transactions can be guaranteed, for instance, with a transaction counter.

Interestingly, to reduce on-chain costs, multiple can be batched, while one rewards the miner for their atomic inclusion. The upper bound for batching corresponds to the number of transactions that fit within a block.

4.2 Payment-channel-based Metatransaction

One bottleneck of the miner-based scheme introduced in Section 4.1 is the necessity to reimburse miners with following each on-chain transaction . This overhead inflates the blockchain and increases fees. To amortize on-chain costs, a sender might want to pay transaction fees off-chain (e.g. via payment channels) directly to miners.

In the following, we show how payment channels can facilitate metatransactions. One might think of a payment channel as a balance sheet between the sender and the miner . By updating the balances of the two sides, is able to reimburse without touching the blockchain. Interestingly, transaction fees are unidirectional (i.e. from to ), hence, we make use of simple Spilman-style payment channels [38]. Considering a channel , our proposed payment channel metatransaction scheme operates as follows:

Channel Establishment

To establish , necessarily needs to deposit upfront a sufficient amount of transaction fee collateral in . The initial channel balance can be described as a function defined as , where which equals the total funds locked in the channel and .

Metatransaction Issuing

For every on-chain transaction , pays the transaction fee to through an off-chain transaction .777We denote an transaction that is off-chain by underlining it (i.e. ). To issue , signs an aggregation transaction which accumulates all the valid off-chain payments. In other words, reflects the latest balance of , i.e. . In such manner, a metatransaction only requires a single on-chain transaction.

Channel Closure

Whenever the balance of is depleted or decides to finalize all the off-chain payments on-chain, can close by publishing the last aggregation transaction . To avoid the funds locked forever because of an unresponsive miner, a lifetime is set for . If doesn’t close before it expires, can then close the channel and takes back all the funds.

The benefit of this scheme is that it allows miners to amortize the cost of claiming transaction fees by not collecting them after each mined , rather they can claim those accrued fees whenever they wish to collect them by simply closing the unidirectional payment channels. In the payment-channel-based scheme, two extra on-chain transactions (for channel establishment and closure) are required for an arbitrary number of metatransactions. On the contrary, in the miner-based scheme, for number of , the miner has to issue on-chain accordingly to gather transaction fees.

4.2.1 Satisfying the Security Goals

To satisfy the security goals of metatransactions specified in Section 3.1.5, we emphasize the following atomicity conditions of our payment-channel-based scheme:

Condition 4.1.

will include in a block iff the transaction fee is secured once mines .

Condition 4.2.

An off-chain transaction in is valid iff has been mined by .

Condition 4.3.

can be finanlized on-chain iff every contained off-chain transaction is valid, i.e. every on-chain transaction has been mined by .

Thus may be asked to proof on-chain that has been mined by to make legitimate. In most blockchains, transactions in a block are constructed in a Merkle tree (or a similar structure) with the Merkle root included in the block header. As the miner of each block is verifiable, can perform the proof by presenting Merkle tree inclusion proofs888By verifying Merkle tree or Merkle–Patricia trie inclusion proofs, depending what cryptographic accumulator scheme is implemented in the blockchain. See https://github.com/lorenzb/proveth and indicating which block contains this Merkle root. However, in light of the expensive computation cost of on-chain Merkle tree proofs, we also allow to provide the acknowledgement signed by as the proof if is cooperative.

In contrast to other payment channel designs (e.g. Lightning channels [36], Duplex Micropayment Channels [12]), Spilman unidirectional channels allow the sender to stay offline without the risk of losing funds [22]. Because of the unidirection, a rational miner only publishes the last aggregation transaction which pays the highest amount. A miner must remain online to detect a timeout expiration for fraudulent channel closure. In practice, we can expect a miner to remain online for the mining process.

Before such scheme is practical, we must solve the problem that the sender is not aware of which miner will mine , which means the sender does not know a priori which miner to pay. Hence, the sender may uphold concurrently multiple open channels with different miners. Note, that when a sender issues off-chain payments to multiple miners, only one of these payments will be valid and redeemable by a miner. This is guaranteed by the transaction inclusion proof, the miner needs to provide when they redeem their earned metatransaction fees.

A miner adopting this scheme must monitor signed off-chain channel updates. Miners include transactions from the mempool iff they received a newly updated channel balance referencing the transaction.

5 Evaluation

In this section, we present our evaluation, compare the introduced metatransaction proposals qualitatively and assess quantitatively their induced overhead.

5.1 Current Transaction Usage

We empirically study the distribution of how transactions make use of the native currency in Ethereum. In Figure 3, we plot the gathered statistics taken from the Ethereum blockchain, from the genesis block up to block . We differentiate between classes of transactions:

Fig. 3: We observe a gradual increase in the number of Ethereum transactions that involve the native currency only for paying transaction fees.
Transactions transmitting Ether:

transactions that transfer Ether between accounts and may additionally perform other smart contract calls.

Ether-only transfers:

a subset of the previous transaction class, in which transactions only transfer Ether and do not perform additional smart contract calls.

Transactions not transmitting Ether:

transactions that do not transfer Ether.

ERC20 token transfers:

a subset of the previous transaction class, in which ERC20 tokens are transferred.

We observe that on the 10th of August 2019, (/) of transactions performed were ERC20 transactions. The majority of transactions, (/), do not transfer Ether; they only involve Ether for paying transaction fees. Based on the findings in Figure 3, we conclude that in Ethereum, most transactions use the native currency exclusively to pay transaction fees. We empirically evaluate the number of transaction in Ethereum that do not pay any transaction fees. We do this to quantify the current adoption of metatransaction schemes.

Fig. 4: The number of 0-gasprice transactions per month on the Ethereum blockchain correlates well with transaction fees.

We found that the number of -gasprice transactions correlates well with transaction fees, i.e., the Spearman correlation [29] amounts to . This correlation indicates that whenever transaction fees are relatively high, miners seem to include their own transactions in their mined blocks to avoid paying high transaction fees. We note that -gasprice transactions are unlikely to originate from regular users because -gasprice transactions are not forwarded on the network layer.

1;
2 ;
3 while  do
4       ;
5       ;
6       ;
7       if  then
8             ;
9             ;
10       end if
11      
12 end while
13;
Algorithm 2 A payment-channel-based metatransaction construction. A sender creates a unidirectional payment channel with a miner locking up . Sender issues off-chain balance updates paying transaction fees in . Miner includes the referenced transaction in a subsequent block. They can keep open the channel until collateral is depleted or until a pre-determined timeout expires. For ease of exposition for each transaction we account a constant transaction fee .

BBlockchain [4]ASender [4]CMiner AOpens ChannelBChannel creation confirmed metatransactions AIssues B ASigns updated channel balance C CMines B CCloses Channel by publishing B

Fig. 5: Sequence diagram of the payment-channel-based metatransaction construction. Sender opens a unidirectional payment channel with miner. Subsequently, a sender can issue multiple on-chain zero-fee transactions, while paying the corresponding transaction fee off-chain to a miner. Once the collateral of the channel is depleted or a miner chooses to collect fees, the miner closes the channel by signing and broadcasting the latest channel balance .

5.2 Miner-based Metatransaction

Account-based cryptocurrencies typically apply nonces to deter replaying transactions [42]. Each account’s nonce is incremented by one after every issued transaction. Transactions with invalid account nonces cannot be mined. Hence, in the context of metatransactions, account nonces can be used to facilitate the atomicity of miner-based metatransactions. Specifically, senders first issue and subsequently with an incremented nonce. Although pays the metatransaction fees to miner, solely cannot be mined. The transaction is invalid without the inclusion of due to the applied nonce mechanism. The metatransaction fee in can be transferred to an anyone-can-spend address, which is later redeemed by the miner of the block.

However, for example in Ethereum, one can access the miner’s address of the current block due to the scripting language of the platform. Therefore there is no need to establish an anyone-can-spend address, i.e. senders can directly transfer metatransaction fees to miners in . Therefore, in case of Ethereum, each issued miner-based metatransaction induces the overhead of an additional internal transaction. The gas overhead of , the additional transaction, in case of Ethereum, amounts to a gas overhead, cf. Table II.

We remark that unspent transaction output (UTXO)-based cryptocurrencies, like Bitcoin, can adopt the miner-based metatransaction scheme with minimal overhead. Such metatransaction only contains one additional UTXO, which essentially implements . Namely, sends the metatransaction fee to an anyone-can-spend address, which can be redeemed by the miner of the block.

5.3 Payment-channel-based Metatransaction

Payment-channel-based metatransactions could potentially incur minimal overhead for the blockchain. Practically speaking, thousands of metatransactions can be sent only by issuing two on-chain transactions. Nevertheless, the on-chain footprint of this construction seems minimal as two on-chain transactions are necessary to establish and close the payment channel with the miner, cf. Algorithm 2.

Fig. 6:

Metatransaction inclusion probability as the function of established payment channels in the payment-channel-based metatransaction scheme.

To show the practicability of this scheme we conduct several measurements. First, we note that as of 2020 March 22, in Ethereum, there are dozens of active mining pools (cca. 70) 999Source: https://etherscan.io/stat/miner?blocktype=blocks

. We observe that the hashrate distribution of mining pools follow an exponential distribution with

( = 6.0053, p = 0.7393). This already suggests that a handful of established payment channels with miners might suffice to provide sufficiently fast transaction inclusion, cf. Figure 6. Indeed, five mining pools control as large as of the network’s hashrate. Hence, as few as five established payment channels per user to these largest mining pools guarantees approximately transaction inclusion probability. The incurred gas cost of opening payment channels is linear in the number of established channels. Therefore, more opened payment channels yield only marginal gains in transaction inclusion probability as the hashrate of miners follow an exponential distribution.

Fig. 7: Break-even points for the payment-channel-based metatransaction construction in comparison with the miner-based construction.

Repeated usage of metatransactions would render the payment-channel based construction more practical than the miner-based construction, cf. Figure 7. In the miner-based construction, each issued metatransaction produces a constant, gas overhead (cf. Table II), while the payment-channel based construction incurs no additional gas overhead. Hence, repeated metatransaction usage amortizes the cost of opening channels with miners. In case of Ethereum, the cost of opening a payment channel is gas. Therefore, if a user issues at least , , metatransactions, then they can amortize the cost of opening , and payment channels with miners, respectively. Nonetheless, whenever a user wants to send transactions and assuming constant metatransaction fees, , then the initial deposit amounts to , where is the number of opened payment channels to mining pools. Accordingly, requiring initial deposits from users generates opportunity cost, hence constitutes a drawback of the payment-channel based construction. However, we remark that if we assume a dense payment channel network between users and miners, then users might reduce their initial deposit costs as they could route and rebalance their discharged payment channels using others’ non-discharged channels [25]. Consequently, an in-depth practicability and utility analysis of the payment-channel based scheme is a complex problem, which we leave for future work.

The closure of the payment channel may be computationally lightweight in the graceful case, i.e. when there is no dispute between miner and sender. Although in the worst case, miners need to include transaction inclusion proofs, whose added overhead may vary quite widely from to millions of gas, in case of Ethereum, cf. Table II.

5.4 Fee Delegation vs. Metatransactions

We compare the presented metatransaction and fee delegation scheme considering the following properties:

Non-custodial

Do senders remain the custodians of their assets?

Liveness

Do sender rely on an online third party besides the underlying blockchain?

Multiple Delegators

Does the solution support multiple delegators/relayers?

Integration

Can a smart contract application adopt the metatransaction protocol without code changes?

Censorship resistance

Can transactions be censored?

Miner Section 4.1 Relayer Section 3.3 Channel Section 4.2
Non-custodial yes yes yes
Liveness no yes no
Multiple delegators yes no yes
Integration no no no
Censorship resistance yes no yes
Table I: Comparing qualitatively two metatransaction and one fee delegation scheme.

To quantitatively evaluate the practicality of metatransactions we measure the incurred overhead of the discussed proposals in terms of gas costs and the number of additional transactions in Table II. Our experimental setup is structured as follows. On a local Ethereum private network (geth v1.8.22.), we deployed an ERC20 token contract with extended functionalities to enable metatransactions. For the miner and channel-based metatransactions we created a separate function on the ERC20 token contract (Solidity version 0.5) that performs the reimbursement of a miner. We quantify the overhead of issuing a metatransaction with the execution of these functions. Therefore we measured the gas costs of calling these functions101010EIP-1108, https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1108.md is expected to render the private (meta)transaction proposals [8, 41] significantly cheaper.. We observe that the miner-based scheme is the most lightweight followed by the relayer-based.

Miner Relayer Channel
Tx per Block internal tx internal tx
Gas per Tx
Table II: Added overhead to regular Ethereum transactions in terms of incurred gas costs and additional issued transactions for the various metatransaction proposals. We denote the number of metatransactions included in a block with . All metatransaction schemes require additional internal transactions, except the channel-based construction. Note that we omit the channel-opening ( gas) and closing ( gas) costs, since they are amortized over the course of numerous issued metatransactions. Using the channel construction does not incur on-chain fees since they are paid off-chain.
Fig. 8: Throughput analysis of various metatransaction and fee delegation proposals. Miner-based construction yields the highest throughput, followed by the relayer-based metatransaction scheme. For each blockchain and proposal we calculated the system’s throughput as a function of the fraction of metatransactions among all issued transactions on the blockchain.

We measure the caused impact on Bitcoin’s, Ethereum’s and Tezos’ throughput to assess the economic viability of metatransaction proposals. When the fraction of metatransactions increases, throughput monotonically decreases.

In case of Bitcoin, one can implement the miner-based protocol using a recent proposal111111See: https://simpleledger.cash. Any transaction can implement token transfers in Bitcoin by adding a single 0-value coin (unspent transaction output) to the transaction data. The average size of an unspent transaction output (UTXO) amounts to bytes [13]. On October 21, 2019, transactions were appended to the blockchain with an average 1637 byte size per transaction. We observe that if all transactions in Bitcoin would apply the miner-based metatransaction scheme, then the throughput of the blockchain would decrease from transaction per second to transaction per second, cf. Figure 8.

For Ethereum and Tezos, we calculated with a and block gas limit121212Source: https://etherscan.io/chart/gaslimit and with a and transaction per second for Ethereum and Tezos respectively, as observed on July 16, 2019. Added gas overheads per metatransaction were taken from Table II. Ethereum’s throughput decreases by and if all transactions in a block adapt the relayer fee delegation and miner metatransaction schemes respectively, cf. Figure 8. In case of Ethereum, the miner-based scheme in a non-backward compatible way only requires a single token transfer to the miner’s address. On the other hand, Tezos currently only supports this metatransaction protocol ( gas per transaction) with the difference that there one needs to apply an anyone-can-spend address as the miner’s address of a block is not available in the scripting language. The relayer-based fee delegation scheme is slightly more computationally involved. Overall we found that miner-based metatransactions incur the least overhead.

Deploying metatransactions In most blockchain P2P networks, -fee transactions are considered as a DoS attack and are not forwarded among peers. Therefore, we believe that the majority of 0-gasprice transactions we have witnessed in Figure 4 are originating from miners. To facilitate metatransactions peers could allow those -gasprice transactions which reimburse miners in non-native currencies. This added verification would yield insignificant overhead both for miners and other full nodes. Furthermore, obstacles to deploying metatransactions are that miners might not accept tokens used for metatransactions as legal tender. Negotiating a suitable token as a payment method can be cumbersome and challenging.

6 Economic and security implications of metatransactions

Here we discuss the economic and security impact of metatransactions. We describe one possible avenue to perform a malicious takeover of a blockchain’s native currency.

6.1 Discussing the economic impact of metatransactions

In traditional macroeconomics, participants of an economy typically look for substitutes of their own currency when it is sharply devalued or inflated. Most commonly these substitutes are more stable currencies of other countries [35]. On the other hand, in cryptoeconomics, most of the cryptocurrencies exhibit immense volatility [15], while there are also available deployed stablecoins [39]. Therefore cryptocurrencies seem like an ideal setting for traditional currency substitution, in our jargon metatransactions. Hence by applying the theory of currency substitution to the field of cryptoeconomics, one can expect cryptocurrency users to substitute their volatile, unstable native cryptocurrencies (e.g. ether) with stablecoins (e.g. DAI) issued on top of their used cryptocurrency platform.

Metatransactions would decrease the demand for a native currency while likely increasing demand for other currency . For instance, if all transactions are metatransactions and paid in the stablecoin DAI [39], then metatransaction fees paid in DAI would have increased DAI daily volume131313Source: https://coinmarketcap.com/currencies/dai/historical-data/ by a minimum of up to as observed on August 13, 2019, and February 19, 2019, respectively. Additionally, senders are more likely to use other currencies if their native currency’s inflation rate increases [14].

6.2 Quantifying the security impact of metatransactions

To measure the security of blockchains equipped with metatransactions, we apply the quantitative framework introduced in [19]. Namely, we adopt the value of double-spending, , as a generic metric for the security of blockchains. More precisely, denotes the minimal double-spending value, which is strictly larger than the honest mining reward:

(1)

where is the reward matrix, is the action space, is the stochastic transition matrix and is a policy. To find the optimal policy

we use the Markov-Decision Processes (MDP).

Fig. 9: Difference of the security values of Ethereum, when it is equipped with metatransactions, , and when it is not, . Security is expressed as the minimal double-spending value , which is strictly larger than the honest mining reward. Longer confirmations and less potent malicious miners increase security.

We assume a rational adversary that is interested in maximizing his benefits, measured in financial gains, in the network. We extend the MDP of [19], to model (meta)-transaction fees as well. We model (meta)-transaction fees as added constants on top of block rewards. For instance, as of writing, in case of Ethereum approximately of the full block reward comes from transaction fees. Furthermore, we assume that the metatransaction token is as liquid as the native currency. We leave it as a fascinating future work to model dynamically changing (meta)transaction fees as well. We observe that there is no major difference between the security of blockchains either they apply metatransactions or not in the constant transaction fee model, see Figure 9. Therefore the introduction of metatransactions does not negatively impact the security of a PoW blockchain. Another interesting avenue for future work would be to extend the MDP to allow modelling of bribing attacks. Double-spender adversaries might incentivise miners to mine on top of their branch by offering large (meta)transaction fees to them [30].

6.3 Blockchain currency takeover

One possible application of metatransactions is the potential replacement of the native-currency for paying transaction fees. An attacker motivated by making a certain currency dominant can displace the native currency of any blockchain by subsidizing transactions offering transaction fees in . For each transaction offering metatransaction fee , the attacker reimburses transaction sender with an equal amount in . From a sender perspective, the attack essentially results in feeless transactions. Such a currency takeover can be launched trustlessly by a token contract and it incentivises sender to no longer use as a transaction fee currency.

hour day week
attack $ $ $
Currency takeover $ $ $
Table III: The financial costs of launching a attack and a currency takeover on the Ethereum blockchain.

A blockchain currency takeover may be executed as follows:

  1. The attacker deploys the smart contract and advertises its address. The contract issues a non-native currency , which may be used to pay transaction fees.

  2. Sender can issue metatransactions where calls the contract and transfers transaction fees in to miners.

  3. Whenever sender issue metatransactions and is executed, senders are automatically and trustlessly reimbursed. Particularly, sender are refunded with the same amount, they have just sent to miners in transaction fees, i.e. in . Thereby, due to the attacker, sender effectively spend no transaction fees if they use the currency to pay the transaction fees.

To put the financial costs of a currency takeover into perspective we compare it with a rental attack, where the attacker rents mining hardware, cf. Table III. Renting an NVIDIA K80 GPU Ethereum miner on Amazon’s Elastic Compute Cloud (EC2) platform costs US per hour and it is able to perform MH/s [7]. As of 16 September 2019 the Ethereum network hashrate was approximately TH/s 141414Source: https://etherscan.io/chart/hashrate. On the same day, we observed a Ether price and that Ether was paid for transaction fees.

We remark that similar to the rental attack, also the currency takeover is temporary unless wallets and full nodes support metatransactions. The attack stops once the attacker does not hold funds to reimburse transaction sender. Furthermore, note, that currency takeover is a milder attack as it does not allow double-spending.

6.3.1 Subsidy pool maintenance

As mentioned above, a crucial aspect of the currency takeover is to maintain and sustain the subsidy pool. This is essential for the adversary in order to uphold their currency takeover. If the subsidy pool was depleted, the attacker could not subsidise users anymore to send metatransactions, hence users would not have additional financial incentives to issue metatransactions. Let denote the metatransaction fee of a transaction issued by a user and let be the subsidy offered by the attacker after every issued metatransaction. In the following, we consider two cases.

  • [leftmargin=*]

  • . Naively, an adversary might set to be the identity function. In this case, a counter-attacker, e.g. a miner or a wealthy entity, could rapidly deplete the subsidy pool just by issuing metatransactions with large fees. Note, that in this case, the counter-attack is essentially free. In summary, the problem with the identity function is that transaction senders are not incentivised to issue transactions with their true valuation of the transaction fee. However, this can be amended.

  • . To avoid warped incentives in the transaction fee valuation, one could apply another family of monotonically increasing functions. We propose the function since there exists a well-known incentive-compatibility theorem from the quadratic voting literature [28]. One might think of as the number of votes and as the cost of acquiring votes. It was shown by Lalley and Weyl [28] that the equilibrium is when users put their true valuation of , as they only have a marginal increase in their acquired votes (in our case metatransaction fee subsidy). Put differently, this reward function achieves that users will be incentivised to apply transaction fees they would use under regular circumstances. Hence, they will not be incentivised to counter-attack and deplete the subsidy pool.

7 Related Work

We build upon a rich body of literature understanding how transaction fees affect the security provisions of cryptocurrencies. Whale transactions are transactions with an anomalously large transaction fee to convince miners to fork the current chain [30]. Bonneau et al. introduce the notion of bribery attacks [5], which are conceptually related as in a bribery attack an attacker incentivises other miners to mine on a fork preferred by the attacker. In hostile blockchain takeovers, an attacker with an extrinsic motivation disrupts the consensus process [7]. Similar in spirit, we devise a blockchain currency takeover attack to replace the native currency of a blockchain as transaction fee currency. Möser and Böhme were the first to empirically analyse Bitcoin’s nascent transaction fee market [32]. Kroll et al. [27], Houy [23], and Kaskaloglu [24] consider the economics of Bitcoin transaction fees in the presence of adversaries. Additionally, they discuss potential changes to transaction fees and their policies. Easley et al. assert that Bitcoin without transaction fees is not viable [16]. Even though Bitcoin block rewards steadily decrease and the transaction fee market became more efficient and mature, Carlsten et al. show that no cryptocurrency remain stable in a block reward-free regime [11]. We remark that all these works studied a single-currency setting. To the best of our knowledge, we are the first to study metatransactions and assess their security provisions.

Furthermore, we also consider the economic literature about currency substitution and multi-currency economies as related work as they also investigate and model the impact of introducing multiple currencies as legal tender in a potentially open economy [1, 14]. More volatile exchange rates are predicted in multi-currency settings and sender are anticipated to adopt less inflated currencies. Nonetheless, these results might be applicable only partly as economic literature assumes the existence of developed economies behind currencies, while cryptocurrencies generally lack fully-fledged economies, most of them are still only considered as speculative assets.

8 Future directions

Metacoinbase So far, we only considered metatransactions to pay for transaction fees. With the flexibility of smart contract based blockchains, however, one could design a new block reward atop an existing blockchain, which is paid out in a currency . Such metacoinbase reward could be paid out to a miner under specific conditions (e.g., the reward is only paid if the miner did not accept as a currency to pay transaction fees). Carlsten et al. [11] show that cryptocurrencies do not remain stable in a block reward-free regime, further motivating the introduction of new block rewards.

Cross-chain Metatransactions A sender on blockchain might want to pay transaction fees to miners in currency of blockchain . This would require for a miner in to be aware of , and prove to that the sender’s transaction in was indeed included in the blockchain. Different techniques might allow performing such constructions [9, 26, 37], we, however, leave further details for future work.

Private Fee Auction Current blockchain transaction fee designs correspond to a public auction format. The transactions of a sender that pays the most fees are likely included first in a blockchain. Our payment-channel based metatransaction proposal (cf. Section 4.2) is to our knowledge the first scheme which allows hiding transaction fees from competing sender. The consequences of such private auction mechanism would be interesting to study in future work.

References

  • [1] O. C. Akçay, C. E. Alper, and M. Karasulu (1997) Currency substitution and exchange rate instability: the turkish case. European Economic Review 41 (3-5), pp. 827–835. Cited by: §7.
  • [2] H. Attiya and J. Welch (2004) Distributed computing: fundamentals, simulations, and advanced topics. Vol. 19, John Wiley & Sons. Cited by: §3.1.3.
  • [3] C. Badertscher, U. Maurer, D. Tschudi, and V. Zikas (2017) Bitcoin as a transaction ledger: a composable treatment. In Annual International Cryptology Conference, pp. 324–356. Cited by: §3.1.3, §3.2.
  • [4] A. Berentsen and F. Schär (2019) Stablecoins: the quest for a low-volatility cryptocurrency. Cited by: item Deteriorated User Experience.
  • [5] J. Bonneau, E. W. Felten, S. Goldfeder, J. A. Kroll, and A. Narayanan (2016) Why buy when you can rent? bribery attacks on bitcoin consensus. Cited by: §7.
  • [6] J. Bonneau, A. Miller, J. Clark, A. Narayanan, J. A. Kroll, and E. W. Felten (2015) Sok: research perspectives and challenges for bitcoin and cryptocurrencies. In 2015 IEEE Symposium on Security and Privacy, pp. 104–121. Cited by: §2.
  • [7] J. Bonneau (2018) Hostile blockchain takeovers (short paper). In International Conference on Financial Cryptography and Data Security, pp. 92–100. Cited by: §6.3, §7.
  • [8] B. Bünz, S. Agrawal, M. Zamani, and D. Boneh (2019) Zether: towards privacy in a smart contract world.. IACR Cryptology ePrint Archive 2019, pp. 191. Cited by: footnote 10.
  • [9] B. Bünz, L. Kiffer, L. Luu, and M. Zamani (2019) Flyclient: super-light clients for cryptocurrencies.. IACR Cryptology ePrint Archive 2019, pp. 226. Cited by: §8.
  • [10] V. Buterin (2018)(Website) External Links: Link Cited by: §3.3.
  • [11] M. Carlsten, H. Kalodner, S. M. Weinberg, and A. Narayanan (2016) On the instability of bitcoin without the block reward. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 154–167. Cited by: §7, §8.
  • [12] C. Decker and R. Wattenhofer (2015) A fast and scalable payment network with bitcoin duplex micropayment channels. In Symposium on Self-Stabilizing Systems, pp. 3–18. Cited by: §4.2.1.
  • [13] S. Delgado-Segura, C. Pérez-Sola, G. Navarro-Arribas, and J. Herrera-Joancomartí (2018) Analysis of the bitcoin utxo set. In International Conference on Financial Cryptography and Data Security, pp. 78–91. Cited by: §5.4.
  • [14] A. Drenik and D. J. PEREZ (2017) Pricing in multiple currencies in domestic markets. Manuscript, Columbia University. Cited by: §6.1, §7.
  • [15] A. H. Dyhrberg (2016) Bitcoin, gold and the dollar–a garch volatility analysis. Finance Research Letters 16, pp. 85–92. Cited by: §6.1.
  • [16] D. Easley, M. O’Hara, and S. Basu (2019) From mining to markets: the evolution of bitcoin transaction fees. Journal of Financial Economics. Cited by: §7.
  • [17] I. Eyal and E. G. Sirer (2018) Majority is not enough: bitcoin mining is vulnerable. Communications of the ACM 61 (7), pp. 95–102. Cited by: §3.1.4.
  • [18] J. Garay, A. Kiayias, and N. Leonardos (2015) The bitcoin backbone protocol: analysis and applications. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 281–310. Cited by: §3.1.3, §3.2.
  • [19] A. Gervais, G. O. Karame, K. Wüst, V. Glykantzis, H. Ritzdorf, and S. Capkun (2016) On the security and performance of proof of work blockchains. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp. 3–16. Cited by: §3.1.4, §6.2, §6.2.
  • [20] A. Gervais, H. Ritzdorf, G. O. Karame, and S. Capkun (2015) Tampering with the delivery of blocks and transactions in bitcoin. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 692–705. Cited by: §3.1.4.
  • [21] L. Goodman (2014) Tezos: a self-amending crypto-ledger position paper. Aug 3, pp. 2014. Cited by: footnote 5.
  • [22] L. Gudgeon, P. Moreno-Sanchez, S. Roos, P. McCorry, and A. Gervais (2019) SoK: off the chain transactions.. IACR Cryptology ePrint Archive 2019, pp. 360. Cited by: §2, §4.2.1.
  • [23] N. Houy (2014) The economics of bitcoin transaction fees. GATE WP 1407. Cited by: §7.
  • [24] K. Kaskaloglu (2014) Near zero bitcoin transaction fees cannot last forever. Cited by: §7.
  • [25] R. Khalil and A. Gervais (2017) Revive: rebalancing off-blockchain payment networks. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 439–453. Cited by: §5.3.
  • [26] A. Kiayias, A. Miller, and D. Zindros (2017) Non-interactive proofs of proof-of-work.. IACR Cryptology ePrint Archive 2017 (963), pp. 1–42. Cited by: §8.
  • [27] J. A. Kroll, I. C. Davey, and E. W. Felten (2013) The economics of bitcoin mining, or bitcoin in the presence of adversaries. In Proceedings of WEIS, Vol. 2013, pp. 11. Cited by: §7.
  • [28] S. P. Lalley and E. G. Weyl (2018) Quadratic voting: how mechanism design can radicalize democracy. In AEA Papers and Proceedings, Vol. 108, pp. 33–37. Cited by: 2nd item.
  • [29] A. Lehman (2005) JMP for basic univariate and multivariate statistics: a step-by-step guide. SAS Institute. Cited by: §5.1.
  • [30] K. Liao and J. Katz (2017) Incentivizing blockchain forks via whale transactions. In International Conference on Financial Cryptography and Data Security, pp. 264–279. Cited by: §6.2, §7.
  • [31] Y. Marcus, E. Heilman, and S. Goldberg (2018) Low-resource eclipse attacks on ethereum’s peer-to-peer network.. IACR Cryptology ePrint Archive 2018, pp. 236. Cited by: §3.1.4.
  • [32] M. Möser and R. Böhme (2015)

    Trends, tips, tolls: a longitudinal study of bitcoin transaction fees

    .
    In International Conference on Financial Cryptography and Data Security, pp. 19–33. Cited by: §7.
  • [33] S. Nakamoto et al. (2008) Bitcoin: a peer-to-peer electronic cash system. Cited by: §2.
  • [34] D. Perez and B. Livshits (2019) Broken metre: attacking resource metering in evm. arXiv preprint arXiv:1909.07220. Cited by: §2.
  • [35] R. Piontkovsky et al. (2003) Dollarization, inflation volatility and underdeveloped financial markets in transition economies. Economics Education and Research Consortium Working Paper 3 (02). Cited by: §6.1.
  • [36] J. Poon and T. Dryja (2016) The bitcoin lightning network: scalable off-chain instant payments. Cited by: §4.2.1.
  • [37] J. Prestwich (2018) How to validate bitcoin payments in ethereum (for only 700k gas!). Cited by: §8.
  • [38] J. Spilman (2013) Anti dos for tx replacement. Cited by: §4.2.
  • [39] M. Team (2017) The dai stablecoin system. URl: https://makerdao. com/whitepaper/DaiDec17WP. pdf. Cited by: §6.1, §6.1.
  • [40] A. M. Turing (1937) On computable numbers, with an application to the entscheidungsproblem. Proceedings of the London mathematical society 2 (1), pp. 230–265. Cited by: §2.
  • [41] Z. Williamson (2018) The anonymous zero-knowledge transactions with efficient communication (aztec) protocol. External Links: Link Cited by: footnote 10.
  • [42] G. Wood et al. (2014) Ethereum: a secure decentralised generalised transaction ledger. Ethereum project yellow paper 151 (2014), pp. 1–32. Cited by: §2, §5.2.
  • [43] K. Wüst and A. Gervais (2016) Ethereum eclipse attacks. Technical report ETH Zurich. Cited by: §3.1.4.